[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Round 2 RE: [FW1] oh so frustrating IKE VPN problem
When I try to ping from one private net to another through the IKE tunnel all I'm seeing in the log is: Interface Origin Action Source Destination Protocol Rule daemon fw1 drop fw1 fw2 icmp 2 Rule 2 on the origin is: Source Destination Service Action Track Install domain1 & domain2 & Any Encrypt Long fw1 domain2 domain1 -----Original Message----- From: Chris Arnold Sent: Thursday, December 14, 2000 12:04 PM To: 'Michael Liberte'; '[email protected]' Subject: Round 2 RE: [FW1] oh so frustrating IKE VPN problem I'm not sure I follow you. I've established two group objects, each containing a private network and their respective FWs. There doesn't seem to be any way to NAT the encryption domain. I do, however, have each network (minus the FWs) doing hide behind NAT of the public interface address of the respective FWs. Is that what you meant? If I remove the NAT there, my internal networks can't reach any public addresses which is a requirement for us. The CP doc said to create two group object with my internal networks and FWs in it for each side of the tunnel and use the group as my encryption domain. Should the encryption domain just be the internal network instead of the group (ie: minus the FW)? Thanks. Chris -----Original Message----- From: Michael Liberte [mailto:[email protected]] Sent: Thursday, December 14, 2000 8:10 AM To: 'Chris Arnold'; '[email protected]' Subject: RE: [FW1] oh so frustrating IKE VPN problem Add an address translation rule that says that both encryption domains will communicate between each other without address translation (original). This rule must be on before all other NAT rules. Give us some more information about the messages that you get in the log, when you try to communicate between two sites. HTH, Michael. -----Original Message----- From: Chris Arnold [mailto:[email protected]] Sent: Thursday, December 14, 2000 3:21 AM To: '[email protected]' Subject: [FW1] oh so frustrating IKE VPN problem Hello, all. I've been bumbling through a multiple FW-1/VPN-1 (4.1 SP2 on one and 4.1 SP1 on the other) installation with the help of you all for a few weeks now. I'm at the final step and can't quite get it though. I followed CP's page on setting up an IKE site to site VPN tunnel between two CP FWs ("How to setup gateway to gateway Single Entry Point (SEP) IKE VPN tunnel with VPN-1 4.1? "). 10.3.0.0/16 --> FW <--> Internet <--> FW <-- 10.1.0.0/16 Both private networks can reach the internet successfully with hide behind NAT. The trouble comes when I try to reach a private network from the other. I keep seeing drops due to the rule: (both private nets) (both private nets) ANY ENCRYPT LONG GATEWAYS I'm trying to do shared secret IKE with any encryption and hash. The encryption domains are two groups with their respective private networks and FWs. For the interface security of the FWs I have "others" associated with the external interfaces and "this net" for all of the internal interfaces. Any thoughts on how to get this going? Will CP do the routing here or do I need to add routes on the OS beneath it? Licensing is correct also. The FW module works perfectly. Sigh. Chris ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|